int(2875)

Vulnerability Bulletins

Ejecución de código en Microsoft Outlook Express

Vulnerability classification
Property Value
Confidence level Oficial
Impact Obtener acceso
Dificulty Experto
Required attacker level Acceso remoto sin cuenta a un servicio exotico

System information
Property Value
Affected manufacturer Microsoft
Affected software Microsoft Outlook Express <= 6

Description
Se ha descubierto una vulnerabilidad en Microsoft Outlook Express 6 y versiones anteriores. La vulnerabilidad reside en un error al manejar ciertos archivos de direcciones Windows Address Book.

Un atacante remoto podría ejecutar código arbitrario mediante registros de contacto especialmente construidos en archivos Windows Address Book.

Solution


Actualización de software

Microsoft
Outlook Express 5.5 Service Pack 2 / Microsoft Windows 2000 Service Pack 4
http://www.microsoft.com/downloads/details.aspx?FamilyId=CB0563FB-A05D-4D9D-B269-B5602B09C16A
Outlook Express 6 Service Pack 1 / Microsoft Windows 2000 Service Pack 4
http://www.microsoft.com/downloads/details.aspx?FamilyId=1F0432D4-3F45-472E-8C2D-B7B6A879ACB8
Outlook Express 6 / Microsoft Windows XP Service Pack 2
http://www.microsoft.com/downloads/details.aspx?FamilyId=560E8778-9733-4719-A565-614FD490C320
Outlook Express 6 / Microsoft Windows XP Professional x64 Edition
http://www.microsoft.com/downloads/details.aspx?familyid=6BE4F4CE-ABD6-4A38-84A5-8952E3531217
Outlook Express 6 / Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=FE358108-15DF-4ED9-B257-01AEB82647DF
Outlook Express 6 / Microsoft Windows Server 2003 x64 Edition
http://www.microsoft.com/downloads/details.aspx?FamilyId=DDE5C141-DE6C-4DD9-8399-6E5DB0DCC574
Outlook Express 6 / Microsoft Windows Server 2003 / Itanium-based Systems
Outlook Express 6 / Microsoft Windows Server 2003 SP1 / Itanium-based Systems
http://www.microsoft.com/downloads/details.aspx?familyid=7D3FEA7A-DDC0-4A22-A8B3-D5F46707D017

Hewlett-Packard
MS03-001 - MS03-051 / Security Bulletin HPSBST02146
MS04-001 - MS04-045 / Security Bulletin HPSBST02147
MS05-001 - MS05-055 / Security Bulletin HPSBST02148
MS06-001 - MS06-051 / Security Bulletin HPSBST02140
http://itrc.hp.com/

Standar resources
Property Value
CVE CVE-2006-2386
BID

Other resources
Microsoft Security Bulletin MS06-076
http://www.microsoft.com/technet/security/Bulletin/MS06-076.mspx

HP SECURITY BULLETIN (HPSBST02180)
http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=c00828603

Version history
Version Comments Date
1.0 Aviso emitido 2006-12-13
1.1 Aviso actualizado por HP (HPSBST02180) 2006-12-20
Ministerio de Defensa
CNI
CCN
CCN-CERT